Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package iwd for openSUSE:Factory checked in
at 2023-07-10 16:39:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/iwd (Old)
and /work/SRC/openSUSE:Factory/.iwd.new.23466 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "iwd"
Mon Jul 10 16:39:49 2023 rev:40 rq:1097854 version:2.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/iwd/iwd.changes 2023-06-27 23:18:28.468029938
+0200
+++ /work/SRC/openSUSE:Factory/.iwd.new.23466/iwd.changes 2023-07-10
16:39:50.434521358 +0200
@@ -1,0 +2,6 @@
+Sat Jul 8 04:32:07 UTC 2023 - Luigi Baldoni <aloi...@gmx.com>
+
+- Update to version 2.7
+ * Fix issue with handling FT-8021X and SHA256 PMKID derivation.
+
+-------------------------------------------------------------------
Old:
----
iwd-2.6.tar.sign
iwd-2.6.tar.xz
New:
----
iwd-2.7.tar.sign
iwd-2.7.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ iwd.spec ++++++
--- /var/tmp/diff_new_pack.wrZ4cj/_old 2023-07-10 16:39:51.158525673 +0200
+++ /var/tmp/diff_new_pack.wrZ4cj/_new 2023-07-10 16:39:51.158525673 +0200
@@ -17,7 +17,7 @@
Name: iwd
-Version: 2.6
+Version: 2.7
Release: 0
Summary: Wireless daemon for Linux
License: LGPL-2.1-or-later
@@ -29,10 +29,10 @@
# needed for the tests to generate certificates
# BuildRequires: openssl
BuildRequires: pkgconfig
-BuildRequires: readline-devel
BuildRequires: systemd-rpm-macros
BuildRequires: pkgconfig(dbus-1)
-BuildRequires: pkgconfig(ell) >= 0.56
+BuildRequires: pkgconfig(ell) >= 0.57
+BuildRequires: pkgconfig(readline)
BuildRequires: pkgconfig(systemd)
%{?systemd_ordering}
++++++ iwd-2.6.tar.xz -> iwd-2.7.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.6/ChangeLog new/iwd-2.7/ChangeLog
--- old/iwd-2.6/ChangeLog 2023-06-22 17:17:27.000000000 +0200
+++ new/iwd-2.7/ChangeLog 2023-07-05 18:37:56.000000000 +0200
@@ -1,3 +1,6 @@
+ver 2.7:
+ Fix issue with handling FT-8021X and SHA256 PMKID derivation.
+
ver 2.6:
Add support for setting driver specific quirks.
Add support for disabling power saving mode.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.6/configure new/iwd-2.7/configure
--- old/iwd-2.6/configure 2023-06-22 17:19:16.000000000 +0200
+++ new/iwd-2.7/configure 2023-07-05 18:39:45.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for iwd 2.6.
+# Generated by GNU Autoconf 2.71 for iwd 2.7.
#
#
# Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation,
@@ -618,8 +618,8 @@
# Identity of this package.
PACKAGE_NAME='iwd'
PACKAGE_TARNAME='iwd'
-PACKAGE_VERSION='2.6'
-PACKAGE_STRING='iwd 2.6'
+PACKAGE_VERSION='2.7'
+PACKAGE_STRING='iwd 2.7'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1433,7 +1433,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures iwd 2.6 to adapt to many kinds of systems.
+\`configure' configures iwd 2.7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1504,7 +1504,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of iwd 2.6:";;
+ short | recursive ) echo "Configuration of iwd 2.7:";;
esac
cat <<\_ACEOF
@@ -1661,7 +1661,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-iwd configure 2.6
+iwd configure 2.7
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -1879,7 +1879,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by iwd $as_me 2.6, which was
+It was created by iwd $as_me 2.7, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -3154,7 +3154,7 @@
# Define the identity of the package.
PACKAGE='iwd'
- VERSION='2.6'
+ VERSION='2.7'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -14984,7 +14984,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by iwd $as_me 2.6, which was
+This file was extended by iwd $as_me 2.7, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -15052,7 +15052,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-iwd config.status 2.6
+iwd config.status 2.7
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.6/configure.ac new/iwd-2.7/configure.ac
--- old/iwd-2.6/configure.ac 2023-06-22 17:17:27.000000000 +0200
+++ new/iwd-2.7/configure.ac 2023-07-05 18:37:56.000000000 +0200
@@ -1,5 +1,5 @@
AC_PREREQ([2.69])
-AC_INIT([iwd],[2.6])
+AC_INIT([iwd],[2.7])
AC_CONFIG_HEADERS(config.h)
AC_CONFIG_AUX_DIR(build-aux)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.6/src/crypto.c new/iwd-2.7/src/crypto.c
--- old/iwd-2.6/src/crypto.c 2022-11-18 13:31:49.000000000 +0100
+++ new/iwd-2.7/src/crypto.c 2023-07-05 18:37:56.000000000 +0200
@@ -1116,9 +1116,10 @@
}
/* Defined in 802.11-2012, Section 11.6.1.3 Pairwise Key Hierarchy */
-bool crypto_derive_pmkid(const uint8_t *pmk,
+bool crypto_derive_pmkid(const uint8_t *pmk, size_t key_len,
const uint8_t *addr1, const uint8_t *addr2,
- uint8_t *out_pmkid, bool use_sha256)
+ uint8_t *out_pmkid,
+ enum l_checksum_type checksum)
{
uint8_t data[20];
@@ -1126,10 +1127,7 @@
memcpy(data + 8, addr2, 6);
memcpy(data + 14, addr1, 6);
- if (use_sha256)
- return hmac_sha256(pmk, 32, data, 20, out_pmkid, 16);
- else
- return hmac_sha1(pmk, 32, data, 20, out_pmkid, 16);
+ return hmac_common(checksum, pmk, key_len, data, 20, out_pmkid, 16);
}
enum l_checksum_type crypto_sae_hash_from_ecc_prime_len(enum crypto_sae type,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.6/src/crypto.h new/iwd-2.7/src/crypto.h
--- old/iwd-2.6/src/crypto.h 2022-11-18 13:31:49.000000000 +0100
+++ new/iwd-2.7/src/crypto.h 2023-07-05 18:37:56.000000000 +0200
@@ -154,9 +154,10 @@
bool sha384, uint8_t *out_ptk, size_t ptk_len,
uint8_t *out_ptk_name);
-bool crypto_derive_pmkid(const uint8_t *pmk,
+bool crypto_derive_pmkid(const uint8_t *pmk, size_t key_len,
const uint8_t *addr1, const uint8_t *addr2,
- uint8_t *out_pmkid, bool use_sha256);
+ uint8_t *out_pmkid,
+ enum l_checksum_type checksum);
enum crypto_sae {
CRYPTO_SAE_LOOPING,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.6/src/eapol.c new/iwd-2.7/src/eapol.c
--- old/iwd-2.6/src/eapol.c 2023-05-24 17:38:48.000000000 +0200
+++ new/iwd-2.7/src/eapol.c 2023-07-05 18:37:56.000000000 +0200
@@ -1112,8 +1112,8 @@
memcpy(ek->key_nonce, sm->handshake->anonce, sizeof(ek->key_nonce));
/* Write the PMKID KDE into Key Data field unencrypted */
- crypto_derive_pmkid(sm->handshake->pmk, sm->handshake->spa, aa,
- pmkid, false);
+ crypto_derive_pmkid(sm->handshake->pmk, 32, sm->handshake->spa, aa,
+ pmkid, L_CHECKSUM_SHA1);
eapol_key_data_append(ek, sm->mic_len, HANDSHAKE_KDE_PMKID, pmkid, 16);
@@ -1234,12 +1234,7 @@
if (!found)
goto error_unspecified;
} else if (pmkid) {
- uint8_t own_pmkid[16];
-
- if (!handshake_state_get_pmkid(sm->handshake, own_pmkid))
- goto error_unspecified;
-
- if (l_secure_memcmp(pmkid, own_pmkid, 16)) {
+ if (!handshake_state_pmkid_matches(sm->handshake, pmkid)) {
l_debug("Authenticator sent a PMKID that didn't match");
/*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.6/src/ft.c new/iwd-2.7/src/ft.c
--- old/iwd-2.6/src/ft.c 2023-06-22 17:17:27.000000000 +0200
+++ new/iwd-2.7/src/ft.c 2023-07-05 18:37:56.000000000 +0200
@@ -825,15 +825,21 @@
ret = ft_over_ds_parse_action_response(frame, frame_len, &spa, &aa,
&ies, &ies_len);
- if (ret != 0)
+ if (ret != 0) {
+ l_debug("Could not parse action response");
return;
+ }
info = ft_info_find(ifindex, aa);
- if (!info)
+ if (!info) {
+ l_debug("No FT info found for BSS "MAC, MAC_STR(aa));
return;
+ }
- if (!ft_parse_ies(info, hs, ies, ies_len))
+ if (!ft_parse_ies(info, hs, ies, ies_len)) {
+ l_debug("Could not parse action response IEs");
goto ft_error;
+ }
info->parsed = true;
@@ -931,6 +937,8 @@
memcpy(ft_req + 2, info->spa, 6);
memcpy(ft_req + 8, info->aa, 6);
+ l_debug("");
+
if (!ft_build_authenticate_ies(hs, hs->supplicant_ocvc, info->snonce,
ies, &len))
goto failed;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.6/src/handshake.c new/iwd-2.7/src/handshake.c
--- old/iwd-2.6/src/handshake.c 2023-05-24 17:38:48.000000000 +0200
+++ new/iwd-2.7/src/handshake.c 2023-07-05 18:37:56.000000000 +0200
@@ -734,10 +734,9 @@
s->have_pmkid = true;
}
-bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid)
+bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid,
+ enum l_checksum_type sha)
{
- bool use_sha256;
-
/* SAE exports pmkid */
if (s->have_pmkid) {
memcpy(out_pmkid, s->pmkid, 16);
@@ -747,22 +746,56 @@
if (!s->have_pmk)
return false;
+ return crypto_derive_pmkid(s->pmk, 32, s->spa, s->aa, out_pmkid,
+ sha);
+}
+
+bool handshake_state_pmkid_matches(struct handshake_state *s,
+ const uint8_t *check)
+{
+ uint8_t own_pmkid[16];
+ enum l_checksum_type sha;
+
/*
- * Note 802.11 section 11.6.1.3:
- * "When the PMKID is calculated for the PMKSA as part of RSN
- * preauthentication, the AKM has not yet been negotiated. In this
- * case, the HMAC-SHA1-128 based derivation is used for the PMKID
- * calculation."
+ * 802.11-2020 Table 9-151 defines the hashing algorithm to use
+ * for various AKM's. Note some AKMs are omitted here because they
+ * export the PMKID individually (SAE/FILS/FT-PSK)
+ *
+ * SHA1:
+ * 00-0F-AC:1 (8021X)
+ * 00-0F-AC:2 (PSK)
+ *
+ * SHA256:
+ * 00-0F-AC:3 (FT-8021X)
+ * 00-0F-AC:5 (8021X-SHA256)
+ * 00-0F-AC:6 (PSK-SHA256)
+ *
+ * SHA384:
+ * 00-0F-AC:13 (FT-8021X-SHA384)
*/
-
if (s->akm_suite & (IE_RSN_AKM_SUITE_8021X_SHA256 |
- IE_RSN_AKM_SUITE_PSK_SHA256))
- use_sha256 = true;
+ IE_RSN_AKM_SUITE_PSK_SHA256 |
+ IE_RSN_AKM_SUITE_FT_OVER_8021X))
+ sha = L_CHECKSUM_SHA256;
else
- use_sha256 = false;
+ sha = L_CHECKSUM_SHA1;
+
+ if (!handshake_state_get_pmkid(s, own_pmkid, sha))
+ return false;
+
+ if (l_secure_memcmp(own_pmkid, check, 16)) {
+ if (s->akm_suite != IE_RSN_AKM_SUITE_FT_OVER_8021X)
+ return false;
+
+ l_debug("PMKID did not match, trying SHA1 derivation");
+
+ if (!handshake_state_get_pmkid(s, own_pmkid, L_CHECKSUM_SHA1))
+ return false;
+
+ return l_secure_memcmp(own_pmkid, check, 16) == 0;
+ }
- return crypto_derive_pmkid(s->pmk, s->spa, s->aa, out_pmkid,
- use_sha256);
+ return true;
}
void handshake_state_set_gtk(struct handshake_state *s, const uint8_t *key,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.6/src/handshake.h new/iwd-2.7/src/handshake.h
--- old/iwd-2.6/src/handshake.h 2023-01-23 19:46:38.000000000 +0100
+++ new/iwd-2.7/src/handshake.h 2023-07-05 18:37:56.000000000 +0200
@@ -269,8 +269,10 @@
void handshake_state_override_pairwise_cipher(struct handshake_state *s,
enum ie_rsn_cipher_suite pairwise);
-bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid);
-
+bool handshake_state_get_pmkid(struct handshake_state *s, uint8_t *out_pmkid,
+ enum l_checksum_type sha);
+bool handshake_state_pmkid_matches(struct handshake_state *s,
+ const uint8_t *check);
bool handshake_decode_fte_key(struct handshake_state *s, const uint8_t
*wrapped,
size_t key_len, uint8_t *key_out);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/iwd-2.6/src/station.c new/iwd-2.7/src/station.c
--- old/iwd-2.6/src/station.c 2023-05-24 17:38:48.000000000 +0200
+++ new/iwd-2.7/src/station.c 2023-07-05 18:37:56.000000000 +0200
@@ -2236,7 +2236,15 @@
new_hs->supplicant_ie[1] + 2,
&rsn_info);
- handshake_state_get_pmkid(new_hs, pmkid);
+ /*
+ * IEEE 802.11 Section 12.7.1.3:
+ *
+ * "When the PMKID is calculated for the PMKSA as part of
+ * preauthentication, the AKM has not yet been negotiated.
+ * In this case, the HMAC-SHA-1 based derivation is used for
+ * the PMKID calculation."
+ */
+ handshake_state_get_pmkid(new_hs, pmkid, L_CHECKSUM_SHA1);
rsn_info.num_pmkids = 1;
rsn_info.pmkids = pmkid;
